Password Policy for remote users

Hi experts

I would like to get some clarification and advise. I have 2003 domain with
30 in office users and 10 remote users (VPN only, OWA, POP3). I'm trying to
enforce a Password policy for office users only. What is the best way?

I'm planning to to do the following steps:
1. Edit GPO to inforce password policy at user configuration level.
2. Check "password never expires" in the account property for remote users
3. Change remote users passowrd to more complex.

Is it secure way to do it? how can I enforce to change password on next logon?
will remote user password ever expire? I do not want those pepople to be
effected...
I prefer not to crate a separate OU for remote users because I have AD
structured based on peoples roles.

Thank you

Roger
Wed May 24 07:49:34 CDT 2006

There is only one password policy per domain or per machine.
If you will notice, the account policies are not in the User branch but
in the Computer branch of policies. When set in a GPO linked to the
domain object this controls how DCs enforce policy for all domain
accounts, and this or the highest priority GPO setting account policies
applied to a member govern how all the member enforces the policies
for all machine local accounts.

So, to accomplish your stated objective you would need to either
use multiple domains, use a custom gina, or perhaps look as having
a subset of account required to use smart card for login.

"denilia" <denilia@discussions.microsoft.com> wrote in message
news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@microsoft.com...
> Hi experts
>
> I would like to get some clarification and advise. I have 2003 domain with
> 30 in office users and 10 remote users (VPN only, OWA, POP3). I'm trying
> to
> enforce a Password policy for office users only. What is the best way?
>
> I'm planning to to do the following steps:
> 1. Edit GPO to inforce password policy at user configuration level.
> 2. Check "password never expires" in the account property for remote users
> 3. Change remote users passowrd to more complex.
>
> Is it secure way to do it? how can I enforce to change password on next
> logon?
> will remote user password ever expire? I do not want those pepople to be
> effected...
> I prefer not to crate a separate OU for remote users because I have AD
> structured based on peoples roles.
>
> Thank you
>

denilia
Wed May 24 08:10:02 CDT 2006

So, a feature "password never expires" wll not work? What about to use
different set of GPO policeis for different users/PC OU?

Where I can find additional Info on smart cards? is there any good Vendors
who supply smart cards?

"Roger Abell [MVP]" wrote:

> There is only one password policy per domain or per machine.
> If you will notice, the account policies are not in the User branch but
> in the Computer branch of policies. When set in a GPO linked to the
> domain object this controls how DCs enforce policy for all domain
> accounts, and this or the highest priority GPO setting account policies
> applied to a member govern how all the member enforces the policies
> for all machine local accounts.
>
> So, to accomplish your stated objective you would need to either
> use multiple domains, use a custom gina, or perhaps look as having
> a subset of account required to use smart card for login.
>
> "denilia" <denilia@discussions.microsoft.com> wrote in message
> news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@microsoft.com...
> > Hi experts
> >
> > I would like to get some clarification and advise. I have 2003 domain with
> > 30 in office users and 10 remote users (VPN only, OWA, POP3). I'm trying
> > to
> > enforce a Password policy for office users only. What is the best way?
> >
> > I'm planning to to do the following steps:
> > 1. Edit GPO to inforce password policy at user configuration level.
> > 2. Check "password never expires" in the account property for remote users
> > 3. Change remote users passowrd to more complex.
> >
> > Is it secure way to do it? how can I enforce to change password on next
> > logon?
> > will remote user password ever expire? I do not want those pepople to be
> > effected...
> > I prefer not to crate a separate OU for remote users because I have AD
> > structured based on peoples roles.
> >
> > Thank you
> >
>
>
>

denilia
Wed May 24 09:14:01 CDT 2006

THank you very much Roger Abell.

"Roger Abell [MVP]" wrote:

> Password never expires can be set account by account and this
> does exempt the account from the password aging defined in the
> Account policies. You cannot alter the blanket policy for such
> as complexity.
>
> As to your smart card question
> http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=smart+card
> I do not mention/recommend products by vendor.
>
> "denilia" <denilia@discussions.microsoft.com> wrote in message
> news:8338511E-6E34-49FD-88CB-D815588566BB@microsoft.com...
> > So, a feature "password never expires" wll not work? What about to use
> > different set of GPO policeis for different users/PC OU?
> >
> > Where I can find additional Info on smart cards? is there any good Vendors
> > who supply smart cards?
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> There is only one password policy per domain or per machine.
> >> If you will notice, the account policies are not in the User branch but
> >> in the Computer branch of policies. When set in a GPO linked to the
> >> domain object this controls how DCs enforce policy for all domain
> >> accounts, and this or the highest priority GPO setting account policies
> >> applied to a member govern how all the member enforces the policies
> >> for all machine local accounts.
> >>
> >> So, to accomplish your stated objective you would need to either
> >> use multiple domains, use a custom gina, or perhaps look as having
> >> a subset of account required to use smart card for login.
> >>
> >> "denilia" <denilia@discussions.microsoft.com> wrote in message
> >> news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@microsoft.com...
> >> > Hi experts
> >> >
> >> > I would like to get some clarification and advise. I have 2003 domain
> >> > with
> >> > 30 in office users and 10 remote users (VPN only, OWA, POP3). I'm
> >> > trying
> >> > to
> >> > enforce a Password policy for office users only. What is the best way?
> >> >
> >> > I'm planning to to do the following steps:
> >> > 1. Edit GPO to inforce password policy at user configuration level.
> >> > 2. Check "password never expires" in the account property for remote
> >> > users
> >> > 3. Change remote users passowrd to more complex.
> >> >
> >> > Is it secure way to do it? how can I enforce to change password on next
> >> > logon?
> >> > will remote user password ever expire? I do not want those pepople to
> >> > be
> >> > effected...
> >> > I prefer not to crate a separate OU for remote users because I have AD
> >> > structured based on peoples roles.
> >> >
> >> > Thank you
> >> >
> >>
> >>
> >>
>
>
>

ANIXIS
Wed May 24 09:19:45 CDT 2006

Setting the "password never expires" flag will stop the password from
expiring, but if a user tried to manually change their password they
would still have to comply with the password policy.

For domain user accounts, the password policy rules only work when
linked at the domain level. You cannot enfoce policies by OU unless you
write your own password filter (not practical for a 30 person company),
or purchase a third-party product.

If you don't want to purchase additional software, then the "password
never expires" flag is your best option. If you are willing to spend a
few dollars, then our Password policy Enforcer product will allow you
to enforce multiple policies and assign them to users, groups, and OUs.
See http://www.anixis.com/products/ppe/features.htm



denilia wrote:
> So, a feature "password never expires" wll not work? What about to use
> different set of GPO policeis for different users/PC OU?
>
> Where I can find additional Info on smart cards? is there any good Vendors
> who supply smart cards?
>
> "Roger Abell [MVP]" wrote:
>
> > There is only one password policy per domain or per machine.
> > If you will notice, the account policies are not in the User branch but
> > in the Computer branch of policies. When set in a GPO linked to the
> > domain object this controls how DCs enforce policy for all domain
> > accounts, and this or the highest priority GPO setting account policies
> > applied to a member govern how all the member enforces the policies
> > for all machine local accounts.
> >
> > So, to accomplish your stated objective you would need to either
> > use multiple domains, use a custom gina, or perhaps look as having
> > a subset of account required to use smart card for login.
> >
> > "denilia" <denilia@discussions.microsoft.com> wrote in message
> > news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@microsoft.com...
> > > Hi experts
> > >
> > > I would like to get some clarification and advise. I have 2003 domain with
> > > 30 in office users and 10 remote users (VPN only, OWA, POP3). I'm trying
> > > to
> > > enforce a Password policy for office users only. What is the best way?
> > >
> > > I'm planning to to do the following steps:
> > > 1. Edit GPO to inforce password policy at user configuration level.
> > > 2. Check "password never expires" in the account property for remote users
> > > 3. Change remote users passowrd to more complex.
> > >
> > > Is it secure way to do it? how can I enforce to change password on next
> > > logon?
> > > will remote user password ever expire? I do not want those pepople to be
> > > effected...
> > > I prefer not to crate a separate OU for remote users because I have AD
> > > structured based on peoples roles.
> > >
> > > Thank you
> > >
> >
> >
> >

Roger
Wed May 24 08:57:26 CDT 2006

Password never expires can be set account by account and this
does exempt the account from the password aging defined in the
Account policies. You cannot alter the blanket policy for such
as complexity.

As to your smart card question
http://search.microsoft.com/results.aspx?mkt=en-US&setlang=en-US&q=smart+card
I do not mention/recommend products by vendor.

"denilia" <denilia@discussions.microsoft.com> wrote in message
news:8338511E-6E34-49FD-88CB-D815588566BB@microsoft.com...
> So, a feature "password never expires" wll not work? What about to use
> different set of GPO policeis for different users/PC OU?
>
> Where I can find additional Info on smart cards? is there any good Vendors
> who supply smart cards?
>
> "Roger Abell [MVP]" wrote:
>
>> There is only one password policy per domain or per machine.
>> If you will notice, the account policies are not in the User branch but
>> in the Computer branch of policies. When set in a GPO linked to the
>> domain object this controls how DCs enforce policy for all domain
>> accounts, and this or the highest priority GPO setting account policies
>> applied to a member govern how all the member enforces the policies
>> for all machine local accounts.
>>
>> So, to accomplish your stated objective you would need to either
>> use multiple domains, use a custom gina, or perhaps look as having
>> a subset of account required to use smart card for login.
>>
>> "denilia" <denilia@discussions.microsoft.com> wrote in message
>> news:3AFA9779-C4A9-40CE-BEDB-658C14CFFBFF@microsoft.com...
>> > Hi experts
>> >
>> > I would like to get some clarification and advise. I have 2003 domain
>> > with
>> > 30 in office users and 10 remote users (VPN only, OWA, POP3). I'm
>> > trying
>> > to
>> > enforce a Password policy for office users only. What is the best way?
>> >
>> > I'm planning to to do the following steps:
>> > 1. Edit GPO to inforce password policy at user configuration level.
>> > 2. Check "password never expires" in the account property for remote
>> > users
>> > 3. Change remote users passowrd to more complex.
>> >
>> > Is it secure way to do it? how can I enforce to change password on next
>> > logon?
>> > will remote user password ever expire? I do not want those pepople to
>> > be
>> > effected...
>> > I prefer not to crate a separate OU for remote users because I have AD
>> > structured based on peoples roles.
>> >
>> > Thank you
>> >
>>
>>
>>